More than half of small businesses in the UK are unprepared for data breaches, CSID survey finds 74% had a security breach in the last year Over two thirds do not have a disaster recovery or business continuity plan in place
Despite an increased sense of awareness and frequent headlines of data breaches amongst well-known brands, small businesses in the UK still do not seem to understand that they are as much at risk of cyber attacks as large enterprises.
New research by CSID, a leading provider of identity protection and fraud detection solutions, shows that 52 percent of small businesses in the UK are not taking any preventative measures to protect themselves against cyber crime[1]. Furthermore, the study found that the vast majority (85.3%) do not have any plans to increase their budgets for security implementation, and less than 13 percent are working with a third party vendor to protect themselves.
This research coupled with findings from PWC’s recent 2015 Information Security Breaches Survey[2], demonstrate the enormity of the cyber security challenges small businesses face. PWC’s survey found that 74 percent have had a security breach in the last year, up from 60 percent in 2014. Not to mention, a breach is costly to a small business, with the average cost reaching between £75,000 and £311,000 – with the higher end reaching more than four times the average cost in 2014 (£65,000).
The following insights were found when small businesses were asked by CSID what their main concern is in the event of a data breach:
- Half of respondents (53%) were concerned their reputation would be damaged.
- Despite reputation being a main concern, 47 percent of respondents are monitoring what is written about their brands online, and less than 15 percent have a social media policy in place.
- Only 9 percent were worried about the negative impact on employees.
“While monitoring what is written about your business online is a good practice, we’re surprised by the lack of employee education and social media policies in place,” commented Andy Thomas, managing director of CSID in Europe. “It seems that time and again businesses misjudge the element of staff related security breaches which appear to be increasing every year. Yes, there will always be threats from malware, phishing and DOS, but never underestimate the human factor.”
Examining small business attitudes toward various types of threats, the research found that half of respondents indicated that they are most concerned with undetected malware, 33 percent stated phishing attacks, and the least concerning type of threat appears to be Bring Your Own Device (BYOD) with only 2 percent of answers.
To demonstrate just how effortlessly cyber criminals are targeting and exploiting small businesses, CSID recently developed a mock business, Jomoco, a fictitious coconut water company and built its presence online[3]. CSID also created two fabricated employees, allowed for common mistakes in their personal and work email accounts, and then watched Jomoco become the target for real cyber criminals to hack. Within one hour, the employees were locked out of their email and social accounts, the business web page was defaced, and more.
“By sharing secure details, such as login information and financial information, the two fictitious employees helped hackers bring a fledgling small business to a complete halt. Understanding and educating employees about the security threats associated with establishing and running a business should be the first step in mitigating risk,” concluded Thomas.
In the event of a breach, the CSID survey found that 63 percent of small businesses would most likely turn to their insurer, bank, lawyer or IT supplier for assistance; the police being the least likely first point of call. The findings indicate how important these relationships are and the responsibility these organisations have in assisting clients. Yet, a staggering 68 percent of respondent state that their IT service provider has not provided them with any information regarding data breaches and 68.6 percent confess to not having a disaster recovery or business continuity plan in place.
Steps small businesses should take to mitigate the risk of a data breach:
1) Develop security policies early and educate employees
Ensure employees understand the importance of workplace cyber security. Create and enforce password, BYOD and social media policies from day one. The more well educated the workforce is on the importance of security, the more likely they will be to employ better online habits at work and at home.
2) Monitor employee and customer credentials
Take advantage of software solutions that can help monitor the security of your business. A monitoring service can keep track of your business’ overall health and mitigate the risk of breach. Small business owners should also consider monitoring employee and customer credentials to detect fraudulent activity.
3) Create a breach preparedness plan
Have a breach preparedness plan in place. Practice transparent communication with the public and affected parties. Hiding details about a breach breeds distrust with customers, which can affect your business reputation. While damage control plan may not reduce the cost of repairing the breach, it can keep customer relationships in tact and diminish reputation damage.
CSID Europe Small Business Research, June 2015
This study is based on a survey of 102 small UK businesses during the month of June 2015, carried out via SurveyMonkey. 90 percent of the respondents have a staff of 0-5 employees; 4 percent of respondents employ 11-20; 3 percent employs 6-10 or 21-50.[su_box title=”About CSID” style=”noise” box_color=”#336588″]CSID is the leading provider of identity protection and fraud detection technologies for businesses, their employees, and consumers, across the globe. With CSID’s enterprise-level solutions, businesses can take a proactive approach to protecting the identities of their consumers all around the world. CSID’s comprehensive identity protection products include a full suite of identity monitoring services; insurance and full-service restoration; proactive breach mitigation and resolution; and credit monitoring.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.